On 01/29/2013 01:34 PM, Daniel J Walsh wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/29/2013 01:19 PM, Steve Wilson wrote:
> I'm migrating a CUPS print server from Ubuntu to RHEL6. Previously I had
> CUPS configured to listen on port 80, 443 and 631. Now SELinux is
> preventing CUPS from binding to ports 80 and 443. What would be the
> recommended way to permit this in SELinux?
>
> Thanks! Steve
>
> -- selinux mailing list selinux(a)lists.fedoraproject.org
>
https://admin.fedoraproject.org/mailman/listinfo/selinux
I would just add a custom policy.
# grep cups /var/log/audit/audit.log | audit2allow -M mycups
# semodule -i mycups.pp
Another option would be change the labels on those ports to cups ports, but
this would break httpd if it was also looking to use those ports.
# semanage port -m -t cups_port_t -p tcp 80
Thanks for the prompt response. This is probably a very basic SELinux
question, but when CUPS is denied access to ports 80 and 443 there are
no corresponding log entries in audit.log. The CUPS error log shows:
E [29/Jan/2013:13:45:24 -0500] Unable to bind socket for address
128.210.18.165:80 - Permission denied.
E [29/Jan/2013:13:45:24 -0500] Unable to bind socket for address
128.210.18.165:443 - Permission denied.
And I don't get these CUPS messages when SELinux is in permissive mode.
Yes, auditd is running and I do see other messages in audit.log.
Any thoughts???
Thanks,
Steve